Adversarial Examples for Captcha: Techniques, Applications, and Future Directions

Introduction – Captcha serves as the first line of defense in network security, but the rapid development of convolutional neural networks has weakened many captcha schemes. Adversarial examples, first introduced by Christian Szegedy in 2014, exploit subtle, non‑random perturbations to cause high‑confidence misclassifications in deep models.

Why Adversarial Examples Matter – Since AlexNet (2012), deep neural networks have proliferated in autonomous driving, medical, finance, and security domains. Small perturbations can cause critical misclassifications, such as traffic signs being misread, prompting research into both attacking and defending AI systems, especially captcha recognition.

Historical Development – Early works include Szegedy’s L‑BFGS method (2014) and Goodfellow’s FGSM (2015). Subsequent methods built on FGSM, such as I‑FGSM, MI‑FGSM, DI‑FGSM, and TI‑FGSM, as well as optimization‑based attacks like C&W and generative approaches like AdvGAN.

Geometric‑Aware Adversarial Generation Framework – The framework splits models into a training model (f), a validation model (h), and a test model (g) to improve transferability. It iteratively attacks f while ensuring the adversarial image reduces confidence on h below a threshold, gradually relaxing L‑p norm constraints to maintain visual similarity.

Specific Attack Methods – FGSM performs a single gradient step; I‑FGSM iterates multiple steps. MI‑FGSM adds momentum, DI‑FGSM incorporates random input transformations, and TI‑FGSM applies kernel‑based gradient smoothing. These variants enhance attack success and transferability.

Experimental Results – Ten ImageNet‑pretrained models (including Vision Transformer, ResNet, Inception) achieved >98% accuracy on clean captcha images. Attacking a target model (model7) with a training model (model1) and validation model (model0) under a maximum perturbation of 64 pixels reduced confidence on the validation model below 0.01, dropping accuracy of unseen models below 20%.

Trade‑off Between Image Quality and Attack Effectiveness – Larger perturbation limits (e.g., 64) produce visually noisy images, while reducing the limit (e.g., 20) and using ensemble training/validation models preserves more visual quality while maintaining attack strength.

Explorations Beyond Captcha – Preliminary attacks on CRNN‑based sequence recognition and YOLOv3 object detection demonstrated successful adversarial perturbations with minimal visual differences.

Engineering Pipeline for Puzzle Captcha – A pipeline crawls diverse images, trains models, generates adversarial samples via the geometric framework, filters low‑quality images, and assembles final adversarial puzzle captchas.

Future Work – Plans include adopting GAN‑based generation (AdvGAN) to decouple model training from adversarial sample creation, improving efficiency and deployment cost.

Conclusion – The presented research showcases the feasibility and challenges of applying adversarial examples to captcha security, highlighting both the threat they pose and their potential for defensive strategies.